set interface <interface> monitor track-ip ip
set interface <interface> monitor track-ip threshold 255
set interface <interface> monitor track-ip ip <IP-to-monitor> threshold 10
set interface <interface> monitor track-ip ip <IP-to-monitor> weight 255

Notes:

  • Interface will be brought down after 10 failed pings

[ # ]

!! Configure the Zone, Tunnel Interface, and Route
set zone "VPN" tcp-rst 
set zone "VPN" screen syn-flood queue-size 1024

set interface "tunnel.<#>" zone "VPN"
set interface tunnel.<#> ip unnumbered interface <External-Interface>

set route <Pool-Network>/<CIDR> interface tunnel.<#>

!! Configuring ACE/RSA Settings
set auth-server "<Ace-Name>" server-name "<Primary-Server-IP/Domain-Name>"
set auth-server "<Ace-Name>" backup1 "<Secondary-Server-IP/Domain-Name>"
set auth-server "<Ace-Name>" account-type xauth 
set auth-server "<Ace-Name>" timeout 0
set auth-server "<Ace-Name>" forced-timeout 2
set auth-server "<Ace-Name>" radius secret "<Ace-Password>" 

!! Configure the pool
set ippool "<VPN-Pool-Name>" <Pool-Start-IP> <Pool-End-IP>

!! Configuring User VPN Defaults
set xauth default ippool "<VPN-Pool-Name>"
set xauth default dns1 <Primary-DNS-Server>
set xauth default dns2 <Secondary-DNS-Server>
set xauth default wins1 <Primary-WINS-Server>
set xauth default wins2 <Secondary-WINS-Server>
set xauth default auth server "<Ace-Name>"

!! Configuring the Users And VPNs
set user "<username>" ike-id fqdn "<username>" share-limit 1            !! Share-limit for each user MUST be 1 if more than 1 user will be added to the group
set user "<username>" type ike xauth
unset user "<username>" type auth
set user "<username>" "enable"
set user-group "<Group-Name>" user "<username>"

set ike gateway "<Gateway-Name>" dialup "<User-Group>" Aggr outgoing-interface "<External-Interface>" preshare "<PSK>" proposal "pre-g2-3des-sha"
set ike gateway "<Gateway-Name>" nat-traversal udp-checksum
set ike gateway "<Gateway-Name>" nat-traversal keepalive-frequency 5
set ike gateway "<Gateway-Name>" xauth server "<Ace-Name>"

set vpn "<VPN-Name>" gateway "<Gateway-Name>" no-replay tunnel idletime 10 proposal "nopfs-esp-3des-sha" 
set vpn "<VPN-Name>" bind interface tunnel.<#>

!! Configure the policies to use Accept - Example Below
set address "VPN" "VPN-Pool" 10.100.100.0 255.255.255.0
set policy from "VPN" to "Trust" "VPN-Pool" "Any" "Any" Permit log

Notes:

  • This configuration would tunnel ALL traffic and not split-tunnel. Split tunneling will require multiple VPNs with proxy-ids

Documentation

[ # ]

unset nsm enable
set nsm enable

[ # ]

!! Node A - Master
set nsrp rto-mirror sync
set nsrp monitor interface eth1
set nsrp monitor interface eth3
set nsrp cluster id 1
set nsrp vsd-group id 0 priority 100

!! Node B - Backup
set nsrp rto-mirror sync
set nsrp monitor interface eth1
set nsrp monitor interface eth3
set nsrp cluster id 1
set nsrp vsd-group id 0 priority 90
save
exec nsrp sync global-config save  !! Performed on the backup device

Notes:

  • Configure the interfaces PRIOR to performing NSRP configuration
  • After syncing config, reboot the secondary firewall

[ # ]

threat-detection basic-threat
threat-detection scanning-threat shun except ip-address XXX.XXX.XXX.XXX 255.255.255.255   !! Exceptions, if needed
threat-detection scanning-threat shun duration 3600

Documentation

[ # ]

exec licese-key <key>
get license

Notes:

  • Refers to what follows "advanced=", no spaces or line breaks

[ # ]

get sys  !! Uptime
get perf session  !! Connection Count
get perf cpu detail
get perf cpu all detail  !! * means above threshold
get event level critical  !! View failovers or other critical evens
get counter statistics  !! CRC errors, etc

[ # ]

request high-availability state suspend                     // Fail master to peer and set to ineligible
request high-availability state functional                    // Set device back as eligible
show high-availability state                        // View current HA state
show high-availability link                            // View current HA link state 
show high-availability all                             // View high-availability state information
show high-availability control-link                     // View the control link statistics
show high-availability state-synchronization         // View the synchronization state to the peer device

[ # ]

test nat-policy-match source <source> destination <dest> protocol 6 destination-port <tcp port>
test security-policy-match source <source> destination <dest> protocol 6 destination-port <tcp port>

Documentation

[ # ]

/var/log/chassisd                !! Hardware and chassis control logs
/var/log/idpd                    !! IDP daemon, events, and failures
/var/log/interactive-commands    !! View the commands run by users on the firewall
/var/log/jsprd                    !! HA logs
/var/log/kmd                    !! IKE Negotiation logs
/var/log/messages                !! Start place for locating logs
/var/log/utmd                    !! UTM related logs

[ # ]